Aaron Mulder on 22 Dec 2014 13:04:23 -0800


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Issuing a cert from OpenSSL without a CSR from the client


Since WebSphere uses Java, you might find that it expects to deal with
a Java "keystore" file, which is a black box file holding private
keys, certficates, and etc.  And therefore you might want to do
something like this, using the keytool command that ships with Java:

Create a keystore file with a private key:
keytool -genkey -keyalg RSA -keystore [keystore file name to create]
-alias [server private key alias]

Create a certificate request:
keytool -certreq -alias [server private key alias] -file [CSR file
name] -keystore [keystore file name]

Sign the CSR with OpenSSL (not shown)

Load your self-signed certificate into the keystore as a trusted signer:
keytool -import -trustcacerts -file [CA cert PEM file to load] -alias
[CA cert alias] -keystore [keystore file name]

Load the server cert signed with OpenSSL:
keytool -import -alias [server private key alias] -file [signed CRT
file name to load] -keystore [keystore file name]

If you get "Failed to establish chain..." then run the previous
(-trustcacerts) step first.

This should give you a keystore file with one trusted CA cert and one
SSL private key+cert, both with aliases of your choosing.

Probably in the WebSphere configuration somewhere, you can point it to
a trust store (this keystore) and a private key store (also this
keystore) and you'll probably have to specify the alias of the server
private key in the keystore that you want it to use (even though
there's only one) and its password.

Or, if WebSphere already has a keystore with a private key, you can
just generate the CSR using the second command above and take it from
there.

Thanks,
      Aaron

On Mon, Dec 22, 2014 at 10:36 AM, Michael Leone <turgon@mike-leone.com> wrote:
> I'm gonna ask a stupid question. We use IBM's Connections product here (it's
> a collaboration software, Windows based). It installs with it's own
> self-signed certificate. I have my own CA, running on an old Ubuntu VM. I
> want to issue a cert from it, for this server. That way, the cert will be
> trusted (I've already pushed our own CA cert out to all my clients).
>
> Here's where it gets weird - Connections uses IBM WebSphere as it's web
> interface. And my Connections guy says he can't figure out how to get
> WebSphere to issue a cert request (CSR) that I can then sign, and use to
> issue him a cert. (don't ask me, I don't administer the thing)
>
> Leaving aside the obvious "go check the IBM site for how to request a cert
> with WebSphere", theoretically I should be able to also issue a CSR in the
> name of that Connections server, shouldn't I? If I do "openssl -req", and
> answer the prompts with the FQDN of the Connections server, I should be able
> to use the resulting CSR; sign it; issue a cert; and my guy then use that in
> WebSphere?
>
> Any request I generate myself on my CA, in the name of the Connections
> server, will be pretty much the same as an actual CSR generated on that
> Connections server, right? Just as valid a CSR, I mean.
>
> Thanks
>
>
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --        http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug
>
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug